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We propose a mechanism for the vertical refinement of bigraphical reactive systems, based upon a 
mechanism for limiting observations and utilising the underlying categorical structure of bigraphs. 
We present a motivating example to demonstrate that the proposed notion of refinement is sensible 
with respect to the theory of bigraphical reactive systems; and we propose a sufficient condition for 
guaranteeing the existence of a safety-preserving vertical refinement. We postulate the existence of 
a complimentary notion of horizontal refinement for bigraphical agents, and finally we discuss the 
connection of this work to the general refinement of Reeves and Streader. 

1 Introduction 

Refinement is the process of gradually developing a specification towards a suitable implementation, 
through a series of steps in which more concrete entities are shown to be as acceptable as the more 
abstract entities preceding it in the chain of refinement steps, based upon what may be observed of 
these entities. The utility of this method has been demonstrated through many years of application in 
academic and industrial settings. In this paper we attempt to bring these well-studied benefits to a new 
class of systems — namely, bigraphical reactive systems. We focus primarily on vertical refinement 0, 
where the aim is to relate models constructed with respect to different semantics. 

A bigraphical reactive system CUE) (BRS) is a model construction paradigm proposed by Milner 
and colleagues that aims to enable modelling of interactive systems within a cohesive theoretical frame- 
work. While the primary long-term focus of bigraphs is on models of ubiquitous and context-aware 
systems (T), they have demonstrated value in other areas such as biological applications HUEHS) and 
business processes |Q21[25]|. Bigraphical reactive systems also capture the syntactic and semantic struc- 
ture of many formalisms associated with process modelling, providing a unifying meta-calculus within 
which to relate many of these well-developed theories. Already encodings into various bigraphical re- 
active systems have been demonstrated for amongst others the A -calculus EOlL CCS |[T9lL the Mobile 
Ambients calculus lfT4l . several variants of the 7T-calculus HHIUm, Fusion Calculus 1 10] and Petri Nets 

na. 

Bigraphical reactive systems consist of two graphs (hence the name ft/graph) modelling the orthog- 
onal notions of locality and connectivity which together capture the static structure of a system, and a 
set of reaction rules that may selectively rewrite portions of the bigraph in order to capture the dynamic 
behaviour of that system. We will introduce bigraphs and bigraphical reactive systems (assuming no 
prior knowledge) in Section [2j 
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time. 
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(a) Place Graph 




(b) Link Graph 



Figure 1: The constituent place (la) and link ( lb) graphs that form a particular bigraph. 



The usual notion of "observation" in a BRS is derived from the above notion of dynamic behaviour: a 
BRS gives rise to an LTS, the labels of which are simply the least context enabling reaction. The present 
effort towards refinement takes this connection between static structure and dynamic behaviour to heart, 
and attempts to short-circuit the LTS in favour of a more directly structural mechanism of refinement. 
This makes sense uniquely for bigraphs exactly because of the close correspondence between structure 
and dynamics. The primary contribution of this paper is to introduce such a mechanism as a small step 
towards bringing the well-established benefits of refinement to models constructed within the bigraph 
formalism. Additionally, we give a sufficient condition for an abstraction functor (Section]?]) to give rise 
to a safe refinement, and show that this notion of refinement corresponds with (and indeed, in part is an 
instance of) the general refinement of Reeves and Streader Il23ll24l . 



1.1 Structure of the paper 

The remainder of this paper is structured as follows: We review bigraphs (assuming no prior knowledge) 
in Section|2] In Section[3]we introduce a running example that will be used to illustrate all of the concepts 
presented. In Section]?] we present our definition of vertical refinement for bigraphical reactive systems 
and show that the proposed refinement preserves safety properties with respect to the abstraction functor 
upon which it is parametrised. Additionally, we present a sufficient condition for an abstraction functor 
to give rise to a safe refinement. Finally, in Section [5] we discuss a candidate horizontal refinement 
mechanism for bigraphical agents, derived from the general refinement of Reeves and Streader E3ll24l . 
and discuss the connection of this work to general refinement. 



2 Bigraphical Reactive Systems 

Bigraphical reactive systems is a graphical formalism emphasising the orthogonal notions of locality 
and connectivity. A BRS is a category of bigraphs and a set of reaction rules that may be applied to 
rewrite these bigraphs. We provide here a short, informal introduction to the anatomy of a BRS without 
assuming any prior knowledge. For a complete treatment of bigraphs and BRSs, readers are referred to 

GUCE). 
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Figure 2: The bigraph resulting from the combination of the place and link graphs in Fig. la and Fig. 
lb This bigraph is an agent of the BRS not if y example BRS with signature E={Z,U,F,N} that we will 
introduce in Section [3] 



2.1 Static Structure 

The most basic construction within the static fragment of bigraphical reactive systems is the node. This 
follows from normal definition of a node within graph theory. To nodes we assign controls, which are 
drawn from a signature E, the set of controls. We sometimes use a convenient shorthand such that we 
may refer to a node as being an "X node", by which we really mean a node that has been assigned the 
control X. Nodes may be nested to arbitrary depth to form a tree that is known as the place graph (Fig. 
Ta| ). We represent this nesting by containment, as shown in Fig. [2j We distinguish between controls 



of two kinds: active and passive ones; we shall see later how active controls admit dynamic behaviour 
beneath them whereas passive controls do not. Every tree of nodes is contained by a region (the dotted 
border in Fig. [2]). Bigraphs permit multiple regions (a place forest). 

To controls (and therefore nodes) we assign a fixed arity, which defines the number of ports that a 
given node possesses. A port is a connection point on a node; it must always be connected to other such 



connection points by the link graph. The link graph (Fig. [Tb]) is an undirected hypergraph over the ports 
of the nodes of the place graph. A single (hyper) edge may connect arbitrarily many ports on different 
nodes. 

Within the place graph, in addition to regions and nodes, there may also exist holes (known as sites 
in some bigraphs literature), which are expressed visually as shaded grey nodes (as in Fig. [3a]). A hole is 
a location into which a region of another bigraph may be inserted by composition. It may be helpful to 
think of bigraphs with holes as "contexts" and those without as "processes" or "terms". 

Present also within Fig. [3] are names that represent (named) points at which edges of the link graph 
may be fused to form a single (hyper) edge. In the intuition of contexts and terms, names of bigraphs 
roughly correspond to unstructured names, as in the 7T-calculus. By convention, outer names are drawn 
upwards, and inner names are drawn downwards. Outer names are analogous in the link graph to regions 
in the place graph, while inner names are analogous to holes. Through composition of link graphs, sets 
of inner and outer names that agree are matched and joined. 

Definition 1 (Interface). An interface is a pair (j,X) where < j, indicating the number of holes or 
regions, andX is a set of (inner or outer) names. 

Definition 2 (Bigraph). A bigraph is a 5-tuple: 



(V,E,ctrl,prntJink) : (k,X) — >> (m,F) 
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(a)A:{2,{x,y}) -> (1,0) (b)£: (0,0) (2, (c) A o5 : (0,0) (1,0) 

Figure 3: The composition of two bigraphs A and 5 with their respective interfaces 



Here V is the set of nodes, E is the set of hyperedges, Ctrl is the control map that assigns controls (and 
therefore arities) to nodes, prnt is the parent map that defines the tree structure in the place graph and 
link is a link map that defines the link structure. The inner interface (k,X) indicates that the bigraph has 
k holes, and a set of inner names X. The outer interface (m, Y) indicates that the bigraph has m regions 
and a set of outer names Y. 

Definition 3 (Composition). Bigraphs are composed separately in the place and the link graphs. The 
interfaces of the bigraphs must be compatible in order for composition to be defined, i.e., the sets of 
names and the number of regions/holes must be the same. Fig. [J] illustrates the composition AoB of 
bigraphs A andB. In the place graph, we insert contents of the left-most region ofB into hole of A, and 
the contents of the right-most region ofB into hole 1 of A. Regions are numbered left-to-right: we insert 
the contents of region into hole etc. In the link graph, links are spliced together where there is name 
agreement between the inner and outer names of the bigraphs being composed. We may refer to A in this 
case as being a context into which B is inserted. 

Definition 4 (Tensor Product). There exists an additional way in which to combine bigraphs, namely 
the tensor product A ® B, where A and B are bigraphs. Where A and B do not share any inner or outer 
names, this just involves juxtaposing their place graphs, taking the union of their names, and increasing 
the indices of holes in B to make them unique with respect to A. This definition obscures some technical 
details. It is recommended that readers interested in following the proofs in Section ^~l\ refer to KlTi for 
a precise definition. 



2.2 Notation 

We introduce a rudimentary term language for representing bigraphs that should be familiar to most 
readers accustomed to the notation for process algebras. The present language is not complete, i.e., 
it cannot express every bigraph, but it can express the ones we will use in examples. It is a subset 
of a complete such language [18]. We will use this term language in conjunction with the graphical 
representation used in Fig. |2j 

Definition 5 (Bigraph Term Language). 

p::= K(n u ...,n ariK) ).p | p I p | | nil 

Where ICGI. 
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(a) fc(«i,. . . ,n a r(ic))-P (b) a.— o (c) a. nil I Z?. n i I 

Figure 4: Example bigraph terms with their associated graphical representation 



The term language requires some explanation — . . ^n ar ^).p is prefixing (Fig. 4a), indicating 
a node assigned the control K. The arity of K is given by ar(K). The sequence n\ , . . . , n flr ( K ) are the ports 
of the node. Finally, the suffix p is the term that is nested inside this node, p I p is juxtaposition of terms 
(Fig. [4c]), placing them as siblings within the place graph. — t is a hole (Fig. [4b]), indexed by some integer 
< i. Finally, nil is the nil terminator which is simply the empty graph in the graph representation. 



2.3 Dynamics 

Having introduced the basic structure of bigraphs, the static portion of a BRS, we now introduce the 
reactive portion of a BRS that imbues a system with dynamic behaviour. This relies on reaction rules 
that define rewriting that may be applied to a bigraph. A reaction rule (/?,/?', Tj) consists of a redex R, 
a reactum R f and an instantiation map rj, where the redex is a bigraph to be matched and the reactum 
is the bigraph with which the matched portion of the bigraph should be replaced. The instantiation map 
indicates how parameters matched by holes in the redex should manifest in the reactum after matching. 
Where the instantiation map is unambiguous (e.g., it is the identity map), we may just write R—> R f . 
Definition 6 (Reaction). Matching of a particular reaction rule (R^R^Tj) against a particular bigraph G 
and rewriting it into some other bigraph G' proceeds by decomposition of the bigraph into a context C, 
a match R (the redex), and a set of parameters d (for portions of the bigraph that are matched by holes 
in the redex). This decomposition is then reassembled with the reactum R' replacing the matched portion 
ofG, with select parts of d substituted into the holes ofR', forming the resulting bigraph G' . 

G = CoR.d^CoR f .ri(d) = G f 

We require further that the context C be active, that is, that every control above holes ofC are active (see 
CCS example below). 

We have suppressed details of the handling of names here by using the notation "R.d"; we have also 
suppressed details in the phrase "with select parts of and not explained the use of the map T] . We refer 
the reader to OH or lTT9l for details. The present paper can be read without understanding these details, 
as reaction in our examples always take the form of the following special case: 

a — CoRod^CoR'od. 

Definition 7 (Bigraphical Reactive System). We use the notation BG(L,&) to denote a bigraphical 
reactive system with a signature Z (the set of constituent controls), and a set of reaction rules M. More 
formally, BG(L,&) is an spm category / [271/ in which the objects are interfaces and the arrows are 
bigraphs (which we refer to as agents ofBG(L,&) ), equipped with a set of reaction rules 
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Figure 5: The process send(a).recv(Z?).nil | recv(a).send(Z?).recv(a).nil 




Figure 6: The Rccs reaction rule 



As an example, we introduce a very simple calculus in the style of the Calculus of Communicating 
Systems (CCS) lUTl . where we first give an encoding of the terms as bigraphs, and then define a reaction 
rule that imbues these terms with dynamic behaviour. Interested readers are referred to [21j for a real 
encoding of CCS. 

Our calculus defines sequencing (t.P), parallel composition (/ 1 1), and sending and receiving on 
a named channel ("x!" and "y?\ respectively, where x and y are channel names). The encoding of 
these constructs into the bigraphical term language in Definition [5] is straightforward — these primitives 
are already defined in terms of the bigraphical term language, except for "send" and "receive" which 
we straightforwardly encode as nodes with controls send and recv, each with arity 1. Fig. [5] gives 
a graphical representation of the process send(a).recv(&).nil I recv(a).send(Z?).recv(a).nil. According 
to our encoding, sequencing is represented by prefixing, parallel composition by juxtaposition, actions 
(such as send and recv) by passive controls, and channels by outer names. This is by no means the only 
encoding possible, but this technique is one of the most straightforward. 

Having developed the encoding of our calculus within bigraphs, we can give a reaction rule Rccs 
that will (through repeated rewriting) reduce the term as far as possible based upon agreement between 
parallel processes as to which action should be taken next: 

Rccs = recv(x).- I send(x).-i — ^ — o I — l 

This rule is presented graphically in Fig. [6] It essentially "peels off" the outer layers of the terms 
where a send and a recv action are linked to the same channel name, rewriting the entire bigraph to the 
juxtaposition of whatever was nested inside those send and recv controls (i.e. the parts of the bigraph 
matched by the holes in the redex). As an example, the CCS reaction a\.bl I al.c\ —>b7\c\ becomes the 
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bigraphical reaction 

send(<2).recv(Z?).nil I recv(a).send(c).nil recv(Z?).nil I send(c).nil 

3 Example 

Aside from their role as a meta-calculus for the study of process modelling formalisms, bigraphical 
reactive systems are intended to provide a basis upon which to construct models of the kinds of context- 
aware and ubiquitous systems that are becoming increasingly popular. Consequently, we introduce an 
example based on modelling a context-aware social network notification system, such that a user is 
notified whenever a friend is in the same physical location. 

We will give this example without using the link-graph part of bigraphs to keep it simple. We em- 
phasise that the example generalises to a more interesting one in which connectivity counts — where 
notification is dependent not only on physical co-location but also on whether or not users and friends 
are virtually connected through their laptops and phones. 

We will subsequently extend this to a system in which not all friends, but rather only particular 
designated "special friends", trigger notifications, and show that (and in what sense) the latter system is 
a refinement of the former. 

The example system captures the dynamics of some physical environment (consisting of discrete 
zones within which we can detect the presence of a user by some mechanism that is outside the scope of 
this model) in which a user's friends move from zone to zone. When one of the user's friends is present 
in the same zone as the user, a notification is given, modelled by adding a "notification" node to the zone. 

3.1 The abstract system: BRS not if y 

We first define controls Z (Zone), U (User), F (Friend), N (Notification) and S (Special friend marker). 
Every control has arity and every control is active; altogether we have a signature 

2W = Z,U,F,N 

The bigraphs of our systems are thus arbitrary trees over these controls. We shall of course be interested 
only in those where Z are inner nodes and the remaining controls are leaves. 

With these particular bigraphs in mind, we give reaction rules reconfiguring a bigraph by allowing 
nodes with control F — friends — to move between nested zones as follows. These rules are illustrated 
graphically in Fig. [7J 

Mi = Z.(F|- )|Z.-i Z.-o I Z.(F I -i) 

M 2 = Z.(Z.(F I - ) I -i) Z.(Z.- I F I -i) 

M 3 = Z.(Z.- I F I -i) Z.(Z.(F | - ) I -i) 

Reaction rules are here given on the form "R R f " rather than the more precise (R,R',ri); recall from 
the above introduction to bigraphs that we use the former form whenever T] is inconsequential (in this 
case, it is the identity map). 

We extend the movement rules M with an additional rule R\ for notifications to be issued when a U 
(user) and F (friend) node exist within the same zone. This reaction rule is illustrated in Fig. [8] 

2W = E M U{U,N} 

/?i = Z.(U I F I — ) Z.(UIFINI-o) 
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Figure 7: Reaction rules Mi, M2 and M3 that allow friend nodes to move between zones. 

Let BRS not ify be the bigraphical reactive system formed by the addition of the reaction rule R\ to the 
set of movement rules M: 

BRS not ify = BG(L N ,MU{R 1 }) 
3.2 The concrete system: BRS se i ective 

We now create a second bigraphical reactive system, this one refining (both intuitively and in a sense to 
be made precise) the system BRS not if y just introduced. In this new system, instead of simply notifying 
whenever any friend is present in the same zone as the user, we wish only to issue a notification in the 




Figure 8: Reaction rule R\ 
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Figure 9: Reaction rule R2 



presence of a particular designated friend, distinguished by the presence of an S (special friend marker) 
inside the friend node in question. Consequently, we define the set of controls Es for BRS se i ect i ve to 
include (in addition to the controls of E#) the S control. The modified reaction rule R2 is presented 
graphically in Fig. [9] 

£ 5 = £tfU{S} 

/?2 = Z.(U|F.S|-o)-^Z.(U|F.S|N|- ) 

BRS selective = BG(L Sl MU{R 2 }) 

At an intuitive level, this BRS refines the one of the previous sub-section. In the following section, we 
shall define exactly in what sense this is the case. 

4 Vertical BRS Refinement 

We recall the distinction here between horizontal and vertical refinement. Vertical refinement is con- 
cerned with moving between differing levels of abstraction, or indeed completely independent modelling 
languages, whereas horizontal refinement instead aims to relate models specified at the same fundamen- 
tal level of abstraction, and within the same modelling setting. When we refer to the refinement of a 
BRS, we mean a vertical refinement, indeed, this is the only meaningful interpretation, as a BRS is the 
category consisting of (infinitely) many actual agents of the same general shape. We will later return 
(briefly) to what it would mean for an agent to be refined, that is, to a horizontal refinement between two 
agents of the same BRS (each of which would be bigraphs, representing — for example — two CCS 
processes). 

To summarise the distinction between horizontal and vertical refinement in the setting of BRSs: In 
the former case, we are talking about what we can observe of all such agents, whereas in the latter we are 
referring to what we can observe of the behaviour of a single agent. In the present section, we consider 
vertical refinement; we comment on horizontal refinement in the subsequent section. 

4.1 Safe refinements 

First, what observations can you make of bigraphical agents? While the notion of a trace is familiar 
within refinement literature, within bigraphical reactive systems it is unclear exactly what might corre- 
spond to an action within the usual definition of a trace. Consequently, we formulate a trace of a BRS 
such that each element of the trace is a bigraphical agent (i.e., a bigraph of that BRS). Therefore the no- 
tion of trace is not one of a system exhibiting behaviour in the form of some observable actions, rather, 
it is the entire state of the model as it changes over time such that every element of the trace is a bigraph, 
related to the next element of the trace by the application of some reaction rule. While this may seem 



G. Perrone, S. Debois & T. Hildebrandt 



29 



very crude at first glance, it is important to remember that the dynamic behaviour of a bigraph is derived 
from reaction rules and the structure in a perhaps more direct manner than in many other calculi. As 
such, it makes sense to consider the abstract specification to comprise, by itself, an entire observation — 
cf. the structure of agents of BRS not if y above. 

If an observation is a complete agent of the abstract specification, what then is an observation of an 
agent of the concrete system? We leave that to the system constructor, merely insisting that the observa- 
tions one makes of concrete implementation agents must somehow be a function of their structure. Thus, 
observations of concrete agents are given by a structure-preserving map from concrete agents to abstract 
ones. In the parlance of category theory, this is called a "functor", a functor that we shall in this instance 
call an abstraction functor . 

Definition 8 (Trace, observation). For a given BRS A, a trace is a (possibly infinite) sequence of bi- 
graphs (agents) (a\,a2,...), such that for each at and a[+\ in the sequence there is a reaction ai — >► 
ai + \. If s = (s\,...,s n ) and t = (t\, . . .) are traces and s n — >► t\, we may form the composite trace 
s;t — (s\, . . . ,s n ,t\, . . .). In this case we say that t is an extension of s. We write Tr(A) for the set of 
all traces of a given BRS A. IfF:A—>A'is a functor and (a\,a2,...) G 7r(A) is a trace of A, we apply 
F pointwise to obtain a trace F(t) — (F (a\) , F '(02) , • • •)• 

Note that Tr(x) is by definition prefix-closed; that is, for any trace t E Tr(x), every prefix t f of t is 
also in Tr(x). 

Of course, not just any functor will do: to have a refinement, the dynamic behaviour of the concrete 
implementation must be allowed by the dynamic behaviour the abstract specification allows on its agents, 
the observations. Altogether, our notion of refinement follows from the usual trace equality, however, 
because a BRS tends to permit too much observation, our bigraphical notion of refinement requires as a 
side condition that there exist an abstraction functor F :C — >► A such that for any trace (co, c\ ,...), F gives 
rise to a trace (F(co),F(ci), . . .). We present vertical refinement as the conjunction of two constituent 
definitions, separating the preservation of orthogonal safety and liveness properties through refinement. 

Definition 9 (Safe Vertical Refinement). 

A £V C = F{Tr{C)) C Tr{A) 

This definition satisfies the "reduction of nondeterminism" role of refinement, in that it is always 
valid to simply pick one alternative and implement it in C when presented with nondeterministic choice 
in A. 

Lemma 1. Safe Vertical Refinement is transitive and reflexive for the identity functor. 

Proof Reflexivity is trivial. Suppose A C F C and C Eg D. Then FG(Tr(D)) C F{Tr{C)) C 7r(A). □ 

We proceed to illustrate safe refinement using the two BRSs above, then give a sufficient condition 
for an abstraction functor to yield a safe refinement. 

Recall our claim that BRS se i ect i ve , which issues notifications upon co-location with "special friends" 
is a refinement of BRS not if y , which does so upon co-location with any friend. The latter employs an 
additional control S. This indicates that our abstraction functor must (at the very least) ensure that all 
nodes of control S must be hidden, renamed or removed so as to ensure that the codomain of F is 
BRS not ify (i.e. that F can transform any agent of BRS se i ect i ve into a valid agent of BRS not if y ). 

By this reasoning, we arrive at an abstraction functor "pattern" that is likely applicable to many other 
BRSs. We call this the hiding functor. Its essential function is to simply hide, for a given signature Z, 
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prnt' {I) 



all nodes that have been assigned controls from some particular set of controls H. This includes joining 
any children of nodes that will be hidden to parents that will remain visible after the application of the 
hiding functor. For our example, the hiding set H = {S} (i.e. the designated "special" friend control). 

Definition 10 (Hiding Functor). We define an abstraction functor F^h • BG(Z) — » BG(L\H) for hid- 
ing, parametrised by E, the signature of the "implementation" BRS, and H, a set of controls to be 
hidden. On objects, this functor is the identity. On arrows, its action is F^^dy^E, prnt, Ctrl, link)) = 
(V' ,E, Ctrl' , prnt' , link), where 

- V' = {veV\ctrl(v) £H} 

- Ctrl' = Ctrl [ V', and 

{prnt (I) where Ctrl (prnt (I)) ^ H 

prnt' (prnt (I)) otherwise 

This "hiding functor" is an abstraction functor for our example system. Recalling the definition of a 
bigraphical agent (and therefore of an arrow in the category BRS not if y or BRS se i ect i ve ) given in Definition 
[2j the purpose of this hiding functor is to exclude any nodes that have a control that is in the set of 
hidden controls H, exclude these controls from the control map Ctrl, and recursively recreate the parent 
map prnt such that any children of a node with a control in H is attached to its most immediate place- 
graph ancestor that is not marked with a control in H. We call the abstraction functor for our example 
notification system Af rienc i, which is defined as the hiding functor above, instantiated with H = {S}. 

While the hiding functor has the flavour of a forgetful functor — it dispenses with structure — it 
cannot reasonably be called so as it is not faithful. Many distinct configurations (e.g. special-friend 
controls) will map to the same bigraph. This is a technical distinction only; we use "hiding" in no special 
sense, except as a name for abstraction functors of this general shape. 

It is easy to prove that with A friend as abstraction functor, BRS se i ect i ve is indeed a safe refinement of 
BRS not ify. However, instead of proving so directly, we shall instead provide a general theorem about 
abstraction functors: When they preserve reaction, and in particular, when they preserve just reaction 
rules, they give rise to safe refinement. 

Theorem 1. Let F : C — >> A be an abstraction functor. If F preserves reaction, that is, ifc—>c' implies 

safe 

F(c)^F(c'), then A Q F C. 

Proof. Immediate from Definition [9] of safe refinement. □ 

From this theorem it becomes apparent that an abstraction functor may be any functor at all that 
obeys this property. 

The terminology deceives, here: The guarantee that the concrete system has no more behaviour than 
the abstract one is in fact upheld by the abstraction functor preserving behaviour. 

Of course, proving that a functor preserves reaction need not at all be easy. Fortunately, we can 
exploit the connection between static structure and dynamic behaviour of bigraphs: a functor which 
preserves the reaction rules, structurally, will also preserve (dynamic) reaction, and will thus be a safe 
refinement. 

Theorem 2 (Safe Abstraction Functors). Let A = BG(Z,&) and C = BG^ 1 \M') be BRSs. A functor 

safe 

F :C A yields a safe vertical refinement A Qp C if it satisfies the following conditions. 

1. It preserves and respects tensor. 

2. It preserves active contexts. 
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3. It preserves reaction rules: For any reaction rule (R,R',p) E {a) the F -image (F(i?),F(i?'),p) 
is a rule in Si; and (b)for any parameter d of that rule, p(F(d)) — F(p(d)). 

Proof. Suppose c\ , . . . , c n is a trace of C. It is sufficient to prove that for each i < n, there is a reaction 
F{ci) F(q + i). We know that c\ — » q+i, so there is some reaction rule (R,R f ,p) E context F of C, 
and some set of names Z s.t. 

Q = £o(#(g)l z )od Fo(i?'(g)l z )op(d) = c 'i 

Where ~p{d) is the instantiation of parameters (see [21 j for details). But then, because {F{R) 1 F(R')^p) 
is a rule of 3%, we compute and find a* = F(q) = F(F o l z ) o J) = F(F) o (F(i?) ® 1f(Z)) °F(d) 
F(E) o (F(R f ) ® 1 F(Z) ) op (F(d)) = F(E) o (F(^) ® 1 F(Z) ) oF(p (J)) = F(F o ® l z ) op(d)) = F(cJ) = 
a{ □ 

We remark that the three conditions of this Theorem appear to be good candidates for a definition of 
a morphism of parametric reactive systems, as suggested in the forthcoming Q. 

It is straightforward to verify that for our example BRSs, BRS se i ect i ve and BRS not if y , the hiding functor 
does in fact satisfy the three conditions of this Theorem. Thus we have the following corollary: 

Corollary 1. BRS se i ect i ve is a sound refinement ofBRS not if y with respect to the abstraction functor A f r i en d, 
that is, 

safe 

BRS no tify ^Af riend BRSseiective 

safe 

The □ relation captures safety properties of the system being refined (i.e. it does not permit a 
refined model any undesirable extra behaviour, provided that the abstraction functor does not hide any 
"undesirable" behaviour). However, it does not guarantee that the system does anything at all (i.e. an 
empty trace is a safe refinement of any system). To guarantee that some additional liveness properties 
are preserved by refinement, it is necessary to extend our definition. 



4.2 Live refinements 

In order to guarantee that a given concrete system actually exhibits any of the desirable behaviour of 
the abstract system that it refines, we must define a notion of liveness. Whereas in a process algebraic 
setting it might be possible to rely on the presence of a particular output (or all possible outputs) to define 
"desired" observable behaviour, within a bigraphical setting the lack of any primitive notions of "input" 
or "output" (it is up to the system designer to define what these concepts mean with respect to a particular 
model) means that it is necessary to explicitly choose such "desirable" behaviours. 

In the absence of an intrinsic notion of desirable behaviour, we further parametrise our notion of live- 
ness, already parametric in terms of the abstraction functor F, on the admissible traces. This parametri- 
sation on the notion of admissibility is akin to those used in lfT3l[m . 

Definition 11 (Live Vertical Refinement). Let F : C — >> A be an abstraction functor, let C C 7r(C) be 
the admissible traces for C, and let similarly A C Tr{A), the admissible traces of A. We then say that 
(C, C) is a live refinement of (A, A) iff for every trace s ofTr{C), whenever F{s) has an extension t' to an 
admissible trace F(s);t' E A, then there exists an extension s' of s to an admissible trace s;s f E A with 
F(s f ) = F{t'). In this case we write: 

live 

(A, A) C F (C,C). 
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If we wish to take the admissible traces A of the abstract system A as canonical, we can define C as 
those traces whose F-images are admissible. 

Lemma 2. Live Vertical Refinement is transitive. 

live live 

Proof. Suppose (A, A) Q F (C,C) and (C,C) Eg (AD), and suppose FG{t)\u' E A. Then u' has a pre- 
image with G(t);s f E C; but then j-' has a pre-image t' with E D. □ 

Let us provide a suitable set of admissible traces for our running example, BRS not if y . For this BRS, 
the obvious notion of admissibility (think "successful") is when notification has occurred. So we define 
the set of admissible traces as simply those finite traces in which the user has been notified, that is, in 
which the final agent contains the notification control next to the user and his friend: 

^notified = {(a u ...,a n ) e Tr(BRSnotify) I 3C. a n = Co (U I F I N)} 
For BRS se i ect i ve , we transfer the notion of admissiblity: 

S selective ~ \f E Tr{BRS not ify) \ F(t) E ^notified} 

The selective system BRS se i e ctive under these notions of admissibility is in fact not a live refinement of 
the original one BRS not if y . One might think so: After all, one can extend a trace to admissibility simply 
by moving the special friend next to the user. Unfortunately, there need not be a special friend, and even 
if there were, the abstract system might extend to admissibility by moving a (non-special) friend next to 
the user. We will now show this in detail, thus proving of the following proposition: 

live 

Proposition 1. (BRS not if y ,S not if y ) %A friend (BRS 'selective^ Selective)- 

Proof. Consider an agent Z.(U I F) of BRSseiective- Applying A friend we find simply A friend (Z.(\J I F)) = 
Z.(U I F), which succeeds after just one reaction 

Z.(U I F)->Z.(U I F| N) 

by reaction rule R\. Now, if we actually had a live refinement, we should be able to match this reaction 
in BRSseiective- A simple inspection of the rules however prove that this is not possible. □ 

This is, however, not a show-stopper, rather it is a welcome demonstration of the utility of such a 
vertical refinement mechanism. We could remedy this situation by introducing into BRS selective an addi- 
tional reaction rule that spontaneously adds the designated friend marker S to any friend F. However, this 
seems to contradict the intuition of the model, so in this instance it is perhaps better to leave BRS se iective 
unmodified and accept that there are (known) conditions under which this BRS cannot progress to a 
successful state. 

Having defined our two separate (live and safe) refinement relations, we can complete the definition 
of safe and live vertical refinement: 

Definition 12 (Safe and Live Vertical Refinement). 

(A, A) Q F (C,C) = A £V C A (A, A) £V (C,C) 
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5 Discussion & related work 

Having introduced our notion of vertical BRS refinement and shown the conditions under which it is safe 
and live with respect to the chosen abstraction functor, we now discuss potential approaches to horizontal 
refinement and related work. As it happens, both topics take us to the general refinement of Reeves and 
Streader Il23l[24l. 

General horizontal refinement recognises three components to refinement: entities E, i.e., the spec- 
ifications and implementations being refined; contexts S, which are the environment within which the 
entities interact; and a user, which defines the possible observations 0(— ) that can be made of an entity 
within a particular context. Refinement is then the relation 

A Es,o C = Vx e S.O([C] x ) C 0([A] X ) , 

where 2 is the set of contexts, O is a map assigning observations to entities in contexts, and [—] x inserts 
an entity into context x. 

Interestingly, our proposed notion of bigraphical vertical refinement falls under the umbrella of gen- 
eral horizontal refinement. Entities would be BRSs (like BRS not if y and BRS se i ect i ve ); contexts S would 
be just the trivial context, which leaves the entity unchanged. Finally, the observation map O is in our 
case simply Tr(-), the map that takes a BRS to the traces observable of it. We do not think this is a 
coincidence. It seems intuitive that horizontal refinement of an entire class of agents would correspond 
to vertical refinement. 

What about general vertical refinement, then? The definition of vertical refinement within the general 
refinement framework [24j relies upon a notion of layers, representing a level of abstraction in terms of 
(El,£l,Ol), where E L is a set of entities, Z L is a set of contexts and Ol is an observation function. 
Vertical refinement is then defined in terms of a Galois-connection that interprets high-level entities as 
low-level ones and vice versa. 

The analogy of this notion with our use of an abstraction functor F : C — >► A should be apparent: 
If we could find that functor F to be one of an adjoint pair, we would be in an analogous situation. 
Unfortunately, it remains unclear if such an adjunction would retain the intuition behind the Galois- 
connection of general vertical refinement: morphisms (i.e., bigraphs) do not measure approximation; 
they represent the agents under investigation. In particular, the hiding functors used for the example in 
the present paper do not appear to be part of adjoint pairs. 

Leaving vertical refinement behind, what is then a good notion of horizontal refinement for bigraphs? 
Returning to general horizontal refinement, bigraphs actually do come with a notion of entity, context, 
and observation, namely agents (roughly, bigraphs with no holes/inner names), bigraph contexts (bi- 
graphs with holes/inner names), and an LTS (given a BRS). We have in the present paper by-passed the 
LTS as the notion of observation, following the bigraphical connection by structure and dynamics to its 
extreme conclusion, using the structure of the abstract specification as the observations. 

For horizontal refinement, this approach appears not sensible: We would after all be relating agents 
of the same BRS. Important examples (like CCS-process refinement) cannot be expressed within this 
particular approach, which should guide the development of other horizontal refinement strategies for 
bigraphical agents. One obvious choice seems now to be the LTS intrinsic to BRSs. We have yet to 
pursue this option; we caution that while BRS LTSs have been successful in recovering semantics of 
various process algebras and other models of concurrency, it has been less successful in providing useful 
semantics for pervasive systems, one of our key interests. 

However, even leaving the question of suitable observations open, we would likely find a notion 
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inside general horizontal refinement by taking 

a C<9 c = Vx E S.O(xoc) C O(xofl) , 

where a and c are agents of some BRS 5; S is the set of contexts of that BRS, and O is some notion 
of the semantics of agents of B, perhaps traces of the LTS of B, or perhaps some other notion. Indeed, 
early indications are that this approach would be promising in recovering (for example) CCS process 
refinement, contingent upon an appropriate notion of observation. 

5.1 Related Work 

Restricting the set of controls admissible under a certain control, or requiring a control to be present 
is well-studied in bigraphs (e.g., El EH \19\ El). However, that study has invariably focused on en- 
suring that the bigraphical LTS theory is retained under such additional constraints, and are thus only 
superficially related to the present paper. 

Goldsmith & Creese ||9) explore an approach to refinement within bigraphs (and particularly within 
Spygraphs, a specialisation of bigraphs). They observe the ease with which one may derive an LTS for 
a BRS that is labeled exclusively by the trivial context id (equivalent to a T action in a process algebraic 
setting). These kinds of contextual labels are not helpful for analysis, as they capture no behaviour. Sim- 
ilarly, the LTS semantics of bigraphs share the same intentionality inherent in the graphical presentation. 
While Goldsmith & Creese suggest (to good effect in a CSP setting) that it may be appropriate to perform 
hiding at a process-level before considering a transition into bigraphs, this would seem inappropriate for 
many modelling situations (e.g., those which have no convenient term or process representation). While 
the transformation on bigraphical reactive systems proposed by that work may give rise to a refinement 
that is appropriate for some situations, we aim instead in this present work to work directly within the 
structure of bigraphs so as to ensure generality. As bigraphs attempt to be both a modelling formalism 
and a general meta-calculus for existing process calculi, it seems appropropriate that the notion of refine- 
ment we introduce should be similarly general, in the hope that we may recover calculus-specific notions 
of refinement within this general setting. 



6 Conclusion 

We have presented a vertical refinement mechanism for bigraphical reactive systems that adds refine- 
ment to the toolbox of model builders working within a bigraphical setting. The addition of a sufficient 
condition for safe abstraction functors, and the accompanying observation that it is the preservation of 
behaviour with respect to reaction that guarantees that a refinement exhibits no undesirable behaviour, 
provides a firm foundation from which to explore the limits and utility of this kind of vertical refinement. 

We have pointed out a clear connection to the existing work on generalising refinement across many 
modelling formalisms, and therefore it seems appropriate (given the application of BRSs as a meta- 
calculus) that our notion of vertical refinement is also in some sense general. We leave for future work 
the exploration of further mechanisms for horizontal refinement within a bigraphical setting, noting that 
such a notion would very likely fall within the model of general refinement, and thus likely generalise 
well to other modelling formalisms encoded within bigraphical reactive systems. 
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